Package: ntlmaps Version: 0.9.9-4 Severity: important When ntlmaps is used to serve BASIC to NTLM authentication translation, it tries to connect to the parent proxy with Basic credentials supplied by the client, therefore nullifying any security benefits gained from using NTLM authentication.
Below is the example of typical ntlmaps <-> parent proxy HTTP conversation (as captured by tcpdump and displayed by ethereal, response bodies and unimportant header parameters are omitted): ntlmaps> GET http://www.avtomatikarus.com/logo-en.gif HTTP/1.0 ntlmaps> User-Agent: Wget/1.9.1 ntlmaps> Host: www.avtomatikarus.com ntlmaps> Accept: */* ntlmaps> Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA== proxy> HTTP/1.0 407 Proxy Authentication Required proxy> Mime-Version: 1.0 proxy> Date: Thu, 26 Jan 2006 10:07:04 GMT proxy> Content-Type: text/html proxy> Content-Length: 1354 proxy> Proxy-Authenticate: NTLM proxy> Proxy-Connection: close ntlmaps> GET http://www.avtomatikarus.com/logo-en.gif HTTP/1.0 ntlmaps> User-Agent: Wget/1.9.1 ntlmaps> Host: www.avtomatikarus.com ntlmaps> Accept: */* ntlmaps> Proxy-Authorization: NTLM TlRMTVNT... (value cropped) ntlmaps> Proxy-Connection: Keep-Alive proxy> HTTP/1.0 407 Proxy Authentication Required proxy> Mime-Version: 1.0 proxy> Date: Thu, 26 Jan 2006 10:07:04 GMT proxy> Content-Type: text/html proxy> Content-Length: 1354 proxy> Proxy-Authenticate: NTLM TlRMTVNT... (value cropped) proxy> Proxy-Connection: keep-alive ntlmaps> GET http://www.avtomatikarus.com/logo-en.gif HTTP/1.0 ntlmaps> User-Agent: Wget/1.9.1 ntlmaps> Host: www.avtomatikarus.com ntlmaps> Accept: */* ntlmaps> Proxy-Authorization: NTLM TlRMTVNT... (value cropped) proxy> HTTP/1.0 407 Proxy Authentication Required proxy> Mime-Version: 1.0 proxy> Date: Thu, 26 Jan 2006 10:07:05 GMT proxy> Content-Type: text/html proxy> Content-Length: 1354 proxy> Proxy-Authenticate: NTLM proxy> Proxy-Connection: close (Access was denied due to obviously incorrect credentials) The ntlmaps configuration that was used follows: [GENERAL] LISTEN_PORT:5865 PARENT_PROXY:proxy PARENT_PROXY_PORT:8080 PARENT_PROXY_TIMEOUT:15 ALLOW_EXTERNAL_CLIENTS:0 FRIENDLY_IPS: URL_LOG:0 MAX_CONNECTION_BACKLOG:5 [CLIENT_HEADER] [NTLM_AUTH] NT_HOSTNAME:knu NT_DOMAIN:AVT LM_PART:0 NT_PART:1 NTLM_FLAGS: 05820000 NTLM_TO_BASIC:1 [DEBUG] DEBUG:1 BIN_DEBUG:1 SCR_DEBUG:1 AUTH_DEBUG:1 Following patch implements masking out of Proxy-Authorization parameter during client request retransmission, when using BASIC to NTLM authentication translation: --- proxy_client.py.distrib 2006-01-26 12:11:02.856709592 +0300 +++ proxy_client.py 2006-01-26 12:01:41.227937741 +0300 @@ -307,8 +307,25 @@ #----------------------------------------------------------------------- def send_client_header(self): "" - self.logger.log('*** Sending client request header to remote server...') - ok = self.client_head_obj.send(self.rserver_socket) + + ok = 0 + + if self.config['NTLM_AUTH']['NTLM_TO_BASIC'] and self.client_head_obj.has_param('Proxy-Authorization'): + # Assuming Proxy-Authorization parameter contains Basic credentials. + # Masking it out, because of unsafety and unnecessarity. + + proxy_authorization_values = self.client_head_obj.get_param_values('Proxy-Authorization') + self.client_head_obj.del_param('Proxy-Authorization') + + self.logger.log('*** Sending client request header without Proxy-Authorization parameter to remote server...') + ok = self.client_head_obj.send(self.rserver_socket) + + for value in proxy_authorization_values: + self.client_head_obj.add_param_value('Proxy-Authorization', value) + else: + self.logger.log('*** Sending client request header to remote server...') + ok = self.client_head_obj.send(self.rserver_socket) + if ok: self.client_header_sent = 1 self.logger.log('Done.\n') -- System Information: Debian Release: 3.1 APT prefers stable APT policy: (990, 'stable'), (700, 'testing'), (600, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Versions of packages ntlmaps depends on: ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy ii python 2.3.5-2 An interactive high-level object-o -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
